Snap Store, a centralized application repository for distributing snap packages operated by Canonical, allows developers to publish applications with relatively low barriers to entry, while users can install and update software automatically through a single trusted channel. However, that trust is now under strain.
In a blog post, Alan Pope, a longtime Ubuntu community figure and former Canonical employee who remains an active Snap publisher, maintaining nearly 50 snaps with thousands of users, warns of a worrying trend affecting Snap packages. Here’s what it’s all about.
For more than a year, Pope and other security professionals have documented a persistent campaign of malicious snaps impersonating cryptocurrency wallet applications. These fake apps typically mimic well-known projects such as Exodus, Ledger Live, or Trust Wallet, prompting users to enter wallet recovery phrases, which are then transmitted to attackers, resulting in drained funds.
Earlier iterations of the campaign relied on newly created publisher accounts and visually convincing storefront pages. However, according to Pope, the latest shift represents a significant escalation.
Instead of creating new accounts, attackers are now monitoring the Snap Store for publishers whose associated domain names have expired. Once a domain lapses, the attackers register it themselves, trigger a password reset on the Snap Store account tied to that domain, and gain control of an established publisher identity. From there, they can push malicious updates to snaps that users may have trusted and installed years earlier.
Pope has identified at least two publisher domains, and more specifically, storewise.tech and vagueentertainment.com, that were taken over using this method. In both cases, previously benign snaps were updated to include wallet-stealing malware without obvious changes to the publisher’s identity or reputation.
Analysis of the malicious snaps shows a recurring pattern. The applications render a web-based interface that closely resembles legitimate wallet software. On launch, they attempt to contact a remote endpoint to verify network connectivity before proceeding.
If a user submits a recovery phrase, it is immediately transmitted to the attackers’ servers. By the time the deception becomes apparent, wallet contents are typically already gone.
Of course, Canonical has removed reported malicious snaps, but Pope notes that enforcement often lags behind discovery, allowing malicious updates to remain available long enough to affect users.
In the meantime, Snap publishers are advised to keep their domain registrations up to date and enable two-factor authentication. At the same time, users are urged to avoid installing cryptocurrency wallet applications from app stores altogether and instead obtain them directly from official project websites.
Yeah, snap store is yet another victim of scammers here.
After all other stores being invaded by scammers/malware, snapstore is getting it’s share of fame too….
There have been many fake wallets on play store and even apple store. Many browser extensions have stolen crypto and passwords ect. A lot of wallets should not really be trusted to begin with. Huge corporations that are suppose to protect you from malicious apps fail at this every year since malicious apps and extensions seem to get disturbed by them even with there security measures. Even software downloaded directly from source or github can contain malware. Open Source does not mean something is safe. I do not trust most things but I have purchased crypto on robinhood but I know robinhood is safe and if robinhood made a official snap or flatpak I would have no issues trusting it over other options. Many people where recently infected on android from smarttube app that blocked youtube ads on tv and getting that app directly from source made no difference.
One of the reasons I disable snaps soon after an Ubuntu/Kubuntu/Xubuntu install.
And I fully support my hubby John Doe in doing so.
Mom? Pop? Where’s my dinner?!